Merchant Self-Assessment Questionnaires (SAQs)
PCI compliance is not a one-time event but rather an ongoing process. The process is comprised of three steps: Assessment, Remediation and Reporting . Assessment inventories all IT hardware and software and business processes used for payment card processing and then analyzing them for vulnerabilities that could expose cardholder data. Remediation is the process of fixing those vulnerabilities. Reporting for a Level 3 merchant such as WSU entails compiling records to validate remediation and submitting compliance reports to the acquiring bank and global payments brands.
Assessment begins with describing the IT infrastructure and processes that access the payment processing system. Determine how cardholder data flows from beginning to end of the transaction process – including PCs and laptops that access critical systems, storage mechanisms for paper receipts, and media for storing cardholder data (even if that data is only “stored” for a few minutes before input to the card processing device). Record the versions of personal identification number (PIN) and credit card terminals and software applications used for payment card transactions and processing to ensure they have up-to-date PCI compliance validation. Merchant liability for PCI compliance extends to third parties involved in the process flow (e.g. software, hosting services, web development, software-as-a-service, application development), so the merchant must also confirm all third party service providers are compliant.
The self-assessment questionnaire is a validation tool for merchants who qualify to do self-assessments. The purpose of the SAQ is to assist the merchant in self-evaluating compliance with the PCI DSS. There are multiple versions of the SAQ to meet various business scenarios and depend on how the merchant accepts and processes cardholder data. Each SAQ is a series of yes-or-no questions about the merchant’s data security posture and practices. Comprehensive assessment is a vital part of understanding how the merchant does business, what elements of the cardholder data environment may be vulnerable to security exploits and where to direct remediation.
Remediation is the process of fixing vulnerabilities, which may include technical flaws in software code or unsafe practices in how a department processes, handles or stores cardholder data. Do not store cardholder data unless you need it. Classify and rank the vulnerabilities uncovered in the Assessment step to help prioritize the order or remediation, from most serious to least serious. Apply patches, fixes, workarounds and changes to unsafe processes and workflow.
Annual reports are required for PCI compliance. They are submitted to the acquiring bank. All merchants must submit a year’s worth of quarterly vulnerability scans, which must be completed by a PCI SSC-approved Approved Scanning Vendor (ASV). In addition to the scans, each merchant is required to submit an annual Attestation of Compliance, which is included with the SAQ. WSU merchants will complete their respective SAQs and submit them to a central WSU repository. The information will be compiled and rolled up to a single SAQ for the entire University and submitted to the acquiring bank by the WSU PCI compliance team.
The self-assessment questionnaires that are relevant to WSU’s various merchant types are listed below. Click on the hyperlink and open the document to read or save a copy. In general, a separate SAQ will need to be completed for each merchant account. If there are multiple merchant accounts used in a system (e.g. the Micros POS used by Housing and Dining) they can be grouped into a single SAQ, with a listing of the merchant accounts included with the SAQ
- SAQ V3.2.1 Instructions and Guidelines
- SAQ A V3.2.1
- SAQ B V3.2.1
- SAQ B-IP V3.2.1
- SAQ C V3.2.1
- SAQ C-VT V3.2.1
- SAQ P2PE V3.2.1
- SAQ V3.2.1 Requirements and Security Assessment Procedures